Commit graph

7283 commits

Author SHA1 Message Date
Floris Bruynooghe
2d895a0119 Make messages returned by Thread objects owned
This reverses the logic of StandaloneMessage to instead create a
OwnedMessage.  Only the Thread class allows retrieving messages more
then once so it can explicitly create such messages.

The added test fails with SIGABRT without the fix for the message
re-use in threads being present.
2020-06-16 08:02:02 -03:00
Anton Khirnov
1317579079 python/notmuch2: do not destroy messages owned by a query
Any messages retrieved from a query - either directly via
search_messages() or indirectly via thread objects - are owned by that
query. Retrieving the same message (i.e. corresponding to the same
message ID / database object) several times will always yield the same
C object.

The caller is allowed to destroy message objects owned by a query before
the query itself - which can save memory for long-lived queries.
However, that message must then never be retrieved again from that
query.

The python-notmuch2 bindings will currently destroy every message object
in Message._destroy(), which will lead to an invalid free if the same
message is then retrieved again. E.g. the following python program leads
to libtalloc abort()ing:

import notmuch2
db   = notmuch2.Database(mode = notmuch2.Database.MODE.READ_ONLY)
t    = next(db.threads('*'))
msgs = list(zip(t.toplevel(), t.toplevel()))
msgs = list(zip(t.toplevel(), t.toplevel()))

Fix this issue by creating a subclass of Message, which is used for
"standalone" message which have to be freed by the caller. Message class
is then used only for messages descended from a query, which do not need
to be freed by the caller.
2020-06-16 08:02:02 -03:00
Floris Bruynooghe
1bca41698a python config access: fix style and KeyError bug
This fixes some minor style/pep8 things and adds tests for the new
config support.  Also fixes a bug where KeyError was never raised
on a missing key.
2020-06-15 21:50:03 -03:00
Anton Khirnov
5a58754841 python/notmuch2: add bindings for the database config strings 2020-06-15 21:50:03 -03:00
Floris Bruynooghe
b7e3a347ac Update tox.ini for python3.8 and fix pypy3.6
Python 3.8 has been released for a while now, make sure we keep
supporting it correctly.

PyPy 3.6 wasn not configured correctly.
2020-06-15 11:25:39 -03:00
Floris Bruynooghe
a00f3a1f7a Add missing set methods to tagsets
Even though we use collections.abc.Set which implements all these
methods under their operator names, the actual named variations of
these methods are shockingly missing.  So let's add them manually.
2020-06-15 07:14:11 -03:00
Tomi Ollila
963e363a23 configure: use cffi.FFI().verify() to test buildability of CFFI bindings
Checking existence of pyconfig.h to determine whether CFFI-based
notmuch bindings are buildable is not enough; for example Fedora 32
ships pyconfig.h in python3-libs package, but python3-devel is required
to be installed for the bindings to build.

Executing cffi.FFI().verify() is pretty close to what is done in
bindings/python-cffi/notmuch2/_build.py to get the c code part of the
bindings built.
2020-06-09 23:06:03 -03:00
David Bremner
411229f26b debian: changelog stanza for 0.30~rc1-1 2020-06-06 08:07:13 -03:00
David Bremner
3bb546b30f version: bump to 0.30~rc1 2020-06-06 08:02:16 -03:00
Tomi Ollila
ed40579ad3 emacs docstrings: consistent indentation, newlines, periods
Fixed emacs docstrings to be consistent. No functional change.

- removed some (accidental) indentation
- removed some trailing newlines
- added trailing periods where missing (some exclusions)
2020-06-06 07:55:58 -03:00
Tomi Ollila
507d2f07a6 doc: field processor support now always included, adjust manual pages
The features that require field processor support, are now just
documented w/o mentioning **Xapian Field Processors**' is needed
for those.

Replaced "compact" and "field_processor" with "retry_lock" in
build_with config option, as it is currently the only one that
is optionally excluded. The former 2 are now documented as
features always included.

Dropped one 'we' "passive" in notmuch-search-terms.rst. It was the
only one, and inconsistent with rest of the documentation in that
file.

Dropped message about conditional open-ended ranges support, as
those are now always supported.
2020-06-06 07:54:34 -03:00
Tomi Ollila
ca37d8950b configure: require python 3.5 for CFFI-based notmuch bindings
Also tell users what the consequences of a "No" answer is when
python version is less than 3.5, cffi or setuptools is missing,
or no pytest >= 3.0 is available.
2020-06-06 07:44:14 -03:00
David Bremner
30f8bc8cee debian: update debian/copyright
This is based on the updated AUTHORS file.
2020-06-05 07:00:35 -03:00
David Bremner
5d92582b13 doc: update AUTHORS file
I tried to be inclusive, and did not delete anyone from Carl's
original file. I also reworded the acknowledgement of Google LLC.
2020-06-05 07:00:35 -03:00
David Bremner
55619625eb devel: script to calculate a list of authors.
As an initial heuristic, report anyone with at least 15 lines of code
in the current source tree. Test corpora are excluded, although
probabably this doesn't change much about the list of authors
produced.
2020-06-05 07:00:35 -03:00
David Bremner
ba35784114 tweaks to NEWS suggest by Tomi
See id:m27dwp40sx.fsf@guru.guru-group.fi
2020-06-05 06:58:31 -03:00
Tomi Ollila
2c7b3d3a80 NEWS: The minimum supported version of Xapian is now 1.4.0 2020-06-05 06:56:11 -03:00
Daniel Kahn Gillmor
1277f3c129 add NEWS for 0.30
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-06-01 23:26:51 -03:00
David Bremner
19a83d898d debian: bump debian revision
second, with binaries upload
2020-06-01 23:16:09 -03:00
David Bremner
3ee29bde69 debian: Add build dependency on doxygen 2020-06-01 21:38:02 -03:00
David Bremner
617377755a debian: add desktop-file-utils dependency
This enables installation of notmuch-emacs-mua.desktop
2020-06-01 21:32:23 -03:00
David Bremner
5b85699d6c NEWS: stub for 0.30 2020-06-01 21:09:28 -03:00
David Bremner
e66e5db768 debian: add changelog for release candidate 2020-06-01 21:03:06 -03:00
David Bremner
dfd092e95d version: bump to 0.30~rc0 2020-06-01 21:00:04 -03:00
David Bremner
01fe987eec bump date in documentation 2020-06-01 20:58:52 -03:00
David Bremner
ee8dba1c30 doc: fix for out-of-tree builds of notmuch-emacs docs
The sphinx-doc include directive does not have the ability to include
files from the build tree, so we replace the include with reading the
files in conf.py. The non-trivial downside of this is that the emacs
docstrings are now defined for every rst source file. They are
namespaced with docstring::, so hopefully there will not be any
surprises. One thing that is noticable is a small (absolute) time
penalty in running sphinx-doc.
2020-06-01 09:07:50 -03:00
Tomi Ollila
16d073ebe8 configure: check existence of python3 setuptools and dev package
The notmuch2 CFFI-based Python interface is not buildable unless
python3 dev package and python3 setuptools are installed.

Check that these exist in configure (and disable notmuch2 bindings
build if not) so that build of these bindings don't fail when make(1)
is executed.
2020-06-01 08:02:43 -03:00
Sean Whitton
3e6e219384 emacs: Respect load-prefer-newer when loading `notmuch-init-file'
Before this change, `load-prefer-newer' was ignored.

Set NOERROR and MUST-SUFFIX arguments of `load' to t, and NOSUFFIX
argument to nil, to preserve the behaviour of the deleted `let' form.
2020-06-01 07:52:28 -03:00
Daniel Kahn Gillmor
b624b406ff tests/ruby: Ensure that test works for out-of-tree builds 2020-05-31 13:52:33 -03:00
Daniel Kahn Gillmor
ef0ab496b3 python-cffi: enable out-of-tree builds
This is a simple hack to enable out-of-tree builds, a concern raised
by Tomi in id:m24kzjib9a.fsf@guru.guru-group.fi

This change at least enables "make check" to complete without error,
but I'm sure it could be improved.  I am not expert enough in
setuptools to know how.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Amended by db per id:87d06usa31.fsf@powell.devork.be
2020-05-30 12:42:14 -03:00
Tomi Ollila
c9e55a712e test/test-lib.sh: fix two out of tree test issues
json_check_nodes.py exists in source tree, not in out of tree
build tree. Added -B to the execution so source tree is not
"polluted" by a .pyc file when json_check_nodes.py is executed.

When creating run_emacs.sh make it load .elc files from out of
tree build tree, not from source tree if such files existed.
If existed, those may be outdated, or even created by some other
emacs than the one that was used to build .elc files in out of
tree build dir.
2020-05-30 12:42:14 -03:00
Jonas Bernoulli
291ef68ede emacs: Use dolist' instead of mapcar' for side-effects
As recommended by the byte-compiler.
2020-05-26 20:23:14 -03:00
Daniel Kahn Gillmor
6cdf4b7e38 smime: Index cleartext of envelopedData when requested
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:12:00 -03:00
Daniel Kahn Gillmor
cb88b51fe5 smime: Pass PKCS#7 envelopedData to node_decrypt_and_verify
This change means we can support "notmuch show --decrypt=true" for
S/MIME encrypted messages, resolving several outstanding broken tests,
including all the remaining S/MIME protected header examples.

We do not yet handle indexing the cleartext of S/MIME encrypted
messages, though.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:51 -03:00
Daniel Kahn Gillmor
1a34f68a58 crypto: handle PKCS#7 envelopedData in _notmuch_crypto_decrypt
In the two places where _notmuch_crypto_decrypt handles
multipart/encrypted messages (PGP/MIME), we should also handle PKCS#7
envelopedData (S/MIME).

This is insufficient for fully handling S/MIME encrypted data because
_notmuch_crypto_decrypt isn't yet actually invoked for envelopedData
parts, but that will happen in the following changes.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:40 -03:00
Daniel Kahn Gillmor
2b108728c4 crypto: Make _notmuch_crypto_decrypt take a GMimeObject
As we prepare to handle S/MIME-encrypted PKCS#7 EnvelopedData (which
is not multipart), we don't want to be limited to passing only
GMimeMultipartEncrypted MIME parts to _notmuch_crypto_decrypt.

There is no functional change here, just a matter of adjusting how we
pass arguments internally.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:33 -03:00
Daniel Kahn Gillmor
1b9f4a9863 cli/reply: Ignore PKCS#7 wrapper parts when replying
When composing a reply, no one wants to see this line in the proposed
message:

    Non-text part: application/pkcs7-mime

So we hide it, the same way we hide PGP/MIME cruft.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:25 -03:00
Daniel Kahn Gillmor
f12fb4d819 cli/show: If a leaf part has children, show them instead of omitting
Until we did PKCS#7 unwrapping, no leaf MIME part could have a child.

Now, we treat the unwrapped MIME part as the child of the PKCS#7
SignedData object.  So in that case, we want to show it instead of
deliberately omitting the content.

This fixes the test of the protected subject in
id:smime-onepart-signed@protected-headers.example.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:17 -03:00
Daniel Kahn Gillmor
5f4aceee26 cli: include wrapped part of PKCS#7 SignedData in the MIME tree
Unwrap a PKCS#7 SignedData part unconditionally when the cli is
traversing the MIME tree, and return it as a "child" of what would
otherwise be a leaf in the tree.

Unfortunately, this also breaks the JSON output.  We will fix that
next.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:07 -03:00
Daniel Kahn Gillmor
ad60e5d4e8 smime: Identify encrypted S/MIME parts during indexing
We don't handle them correctly yet, but we can at least mark them as
being encrypted.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:10:55 -03:00
Daniel Kahn Gillmor
38bd0df922 lib: index PKCS7 SignedData parts
When we are indexing, we should treat SignedData parts the same way
that we treat a multipart object, indexing the wrapped part as a
distinct MIME object.

Unfortunately, this means doing some sort of cryptographic
verification whose results we throw away, because GMime doesn't offer
us any way to unwrap without doing signature verification.

I've opened https://github.com/jstedfast/gmime/issues/67 to request
the capability from GMime but for now, we'll just accept the
additional performance hit.

As we do this indexing, we also apply the "signed" tag, by analogy
with how we handle multipart/signed messages.  These days, that kind
of change should probably be done with a property instead, but that's
a different set of changes.  This one is just for consistency.

Note that we are currently *only* handling signedData parts, which are
basically clearsigned messages.  PKCS#7 parts can also be
envelopedData and authEnvelopedData (which are effectively encryption
layers), and compressedData (which afaict isn't implemented anywhere,
i've never encountered it).  We're laying the groundwork for indexing
these other S/MIME types here, but we're only dealing with signedData
for now.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:10:46 -03:00
Daniel Kahn Gillmor
7880092964 configure: report GMime minimum version in ./configure output
We already report the minimum version for Glib, zlib, and Xapian
development libraries.  For consistency, report it for GMime as well.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:07:51 -03:00
Daniel Kahn Gillmor
b14d9ae204 smime: tests of X.509 certificate validity are known-broken on GMime < 3.2.7
When checking cryptographic signatures, Notmuch relies on GMime to
tell it whether the certificate that signs a message has a valid User
ID or not.

If the User ID is not valid, then notmuch does not report the signer's
User ID to the user.  This means that the consumer of notmuch's
cryptographic summary of a message (or of its protected headers) can
be confident in relaying the reported identity to the user.

However, some versions of GMime before 3.2.7 cannot report Certificate
validity for X.509 certificates.  This is resolved upstream in GMime
at https://github.com/jstedfast/gmime/pull/90.

We adapt to this by marking tests of reported User IDs for
S/MIME-signed messages as known-broken if GMime is older than 3.2.7
and has not been patched.

If GMime >= 3.2.7 and certificate validity still doesn't work for
X.509 certs, then there has likely been a regression in GMime and we
should fail early, during ./configure.

To break out these specific User ID checks from other checks, i had to
split some tests into two parts, and reuse $output across the two
subtests.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:04:57 -03:00
Daniel Kahn Gillmor
627460d7bb test-lib: mark function variables as local
Several functions in test/test-lib.sh used variable names that are
also used outside of those functions (e.g. $output and $expected are
used in many of the test scripts), but they are not expected to
communicate via those variables.

We mark those variables "local" within test-lib.sh so that they do not
get clobbered when used outside test-lib.

We also move the local variable declarations to beginning of each
function, to avoid weird gotchas with local variable declarations as
described in https://tldp.org/LDP/abs/html/localvar.html.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-09 08:32:51 -03:00
Daniel Kahn Gillmor
02a2bf1b25 notmuch(1): clarify documentation about --option/value separators
id:CA+Tk8fzRiqxWpd=r8=DRvEewNZXUZgD7MKyRLB1A=R-LxxGEZw@mail.gmail.com
started a thread of discussion that showed that the cli's current
idiosyncrasies around dealing with boolean options were not
understandable.

This attempts to improve the documentation at least (actual changes to
the API might be better, but have not reached consensus).

Note that no one in the discussion thread identified any other
(non-boolean) command-line options that cannot use space as a
separator.  If such an option is identified (or introduced in the
future), it should be added explicitly to this part of the manual.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-08 08:58:46 -03:00
David Bremner
45cfeb2e55 lib: replace STRNCMP_LITERAL in __message_remove_indexed_terms
strncmp looks for a prefix that matches, which is very much not what
we want here. This fixes the bug reported by Franz Fellner in
id:1588595993-ner-8.651@TPL520
2020-05-04 10:55:43 -03:00
David Bremner
accfee5c6e test: known broken test for reindex tag preservation
In id:1588595993-ner-8.651@TPL520 Franz Fellner reported that tags
starting with 'attachment' are removed by 'notmuch reindex'. This is
probably related to the use of STRNCMP_LITERAL in
_notmuch_message_remove_indexed_terms.
2020-05-04 10:49:43 -03:00
Daniel Kahn Gillmor
9055dfdae4 tests: disable CRL checks from gpgsm
GPGME has a strange failure mode when it is in offline mode, and/or
when certificates don't have any CRLs: in particular, it refuses to
accept the validity of any certificate other than a "root" cert.

This can be worked around by setting the `disable-crl-checks`
configuration variable for gpgsm.

I've reported this to the GPGME upstream at
https://dev.gnupg.org/T4883, but I have no idea how it will be
resolved.  In the meantime, we'll just work around it.

Note that this fixes the test for verification of
id:smime-multipart-signed@protected-headers.example, because
multipart/signed messages are already handled correctly (one-part
PKCS#7 messages will get fixed later).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 18:02:38 -03:00
Daniel Kahn Gillmor
b415ec06c3 test/protected-headers: Add tests for S/MIME protected headers
Recognize the protected subject for S/MIME example protected header
messages.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:57:37 -03:00
Daniel Kahn Gillmor
b1a04bddc2 tests/smime: add tests for S/MIME SignedData
Add a simple S/MIME SignedData message, taken from an upcoming draft
of
https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/

RFC 8551 describes a SignedData, a one-part clearsigned object that is
more resistant to common patterns of MTA message munging than
multipart/signed (but has the downside that it is only readable by
clients that implement S/MIME).

To make sure sure notmuch can handle this kind of object, we want to
know a few things:

Already working:

 - Is the content of the SignedData object indexed?  It actually is
   right now because of dumb luck -- i think we're indexing the raw
   CMS object and it happens to contain the cleartext of the message
   in a way that we can consume it before passing it on to Xapian.
 - Are we accidentally indexing the embedded PKCS#7 certificates? We
   don't want to, and for some reason I don't understand, our indexing
   is actually skipping the embedded certificates already.  That's
   good!

Still need fixing:
 - do we know the MIME type of the embedded part?
 - do we know that the message is signed?
 - can notmuch-show read its content?
 - can notmuch-show indicate the signature validity?
 - can notmuch-reply properly quote and attribute content?

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:57:26 -03:00